The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 1711
- Question
- Answer
- Explanation
- CISA Question 1712
- Question
- Answer
- Explanation
- CISA Question 1713
- Question
- Answer
- Explanation
- CISA Question 1714
- Question
- Answer
- Explanation
- CISA Question 1715
- Question
- Answer
- Explanation
- CISA Question 1716
- Question
- Answer
- Explanation
- CISA Question 1717
- Question
- Answer
- Explanation
- CISA Question 1718
- Question
- Answer
- Explanation
- CISA Question 1719
- Question
- Answer
- Explanation
- CISA Question 1720
- Question
- Answer
- Explanation
CISA Question 1711
Question
Default permit is only a good approach in an environment where:
A. security threats are non-existent or negligible.
B. security threats are non-negligible.
C. security threats are serious and severe.
D. users are trained.
E. None of the choices.
Answer
A. security threats are non-existent or negligible.
Explanation
“Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, “”Everything not explicitly forbidden is permitted”” (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.”
CISA Question 1712
Question
Everything not explicitly permitted is forbidden has which of the following kinds of tradeoff?
A. it improves security at a cost in functionality.
B. it improves functionality at a cost in security.
C. it improves security at a cost in system performance.
D. it improves performance at a cost in functionality.
E. None of the choices.
Answer
A. it improves security at a cost in functionality.
Explanation
“Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, “”Everything not explicitly forbidden is permitted”” (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.”
CISA Question 1713
Question
A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP?
A. Full-scale test with relocation of all departments, including IT, to the contingency site
B. Walk-through test of a series of predefined scenarios with all critical personnel involved
C. IT disaster recovery test with business departments involved in testing the critical applications
D. Functional test of a scenario with limited IT involvement
Answer
D. Functional test of a scenario with limited IT involvement
Explanation
After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the business continuity plan (BCP) before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk- through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are not IT-related.
CISA Question 1714
Question
A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue?
A. The organization uses good practice guidelines instead of industry standards and relies on external advisors to ensure the adequacy of the methodology.
B. The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability.
C. The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as personnel or system dependencies during the recovery phase.
D. The organization plans to rent a shared alternate site with emergency workplaces which has only enough room for half of the normal staff.
Answer
B. The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability.
Explanation
It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to plan and document actions for every possible scenario. Planning for just selected scenarios denies the fact that even improbable events can cause an organization to break down. Best practice planning addresses the four possible areas of impact in a disaster: premises, people, systems, and suppliers and other dependencies. All scenarios can be reduced to these four categories and can be handled simultaneously. There are very few special scenarios which justify an additional separate analysis, it is a good idea to use best practices and external advice for such an important topic, especially since knowledge of the right level of preparedness and the judgment about adequacy of the measures taken is not available in every organization. The recovery time objectives (RTOs) are based on the essential business processes required to ensure the organization’s survival, therefore it would be inappropriate for them to be based on IT capabilities. Best practice guidelines recommend having 20%-40% of normal capacity available at an emergency site; therefore, a value of 50% would not be a problem if there are no additional factors.
CISA Question 1715
Question
To optimize an organization’s business contingency plan (BCP), an IS auditor should recommend conducting a business impact analysis (BlA) in order to determine:
A. the business processes that generate the most financial value for the organization and therefore must be recovered first.
B. the priorities and order for recovery to ensure alignment with the organization’s business strategy.
C. the business processes that must be recovered following a disaster to ensure the organization’s survival.
D. he priorities and order of recovery which will recover the greatest number of systems in the shortest time frame.
Answer
C. the business processes that must be recovered following a disaster to ensure the organization’s survival.
Explanation
To ensure the organization’s survival following a disaster, it is important to recover the most critical business processes first, it is a common mistake to overemphasize value (A) rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. Choices B and D are not correct because neither the long- term business strategy nor the mere number of recovered systems has a direct impact at this point in time.
CISA Question 1716
Question
An IS auditor can verify that an organization’s business continuity plan (BCP) is effective by reviewing the:
A. alignment of the BCP with industry best practices.
B. results of business continuity tests performed by IS and end-user personnel.
C. off-site facility, its contents, security and environmental controls.
D. annual financial cost of the BCP activities versus the expected benefit of implementation of the plan.
Answer
B. results of business continuity tests performed by IS and end-user personnel.
Explanation
The effectiveness of the business continuity plan (BCP) can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives. All other choices do not provide the assurance of the effectiveness of the BCP.
CISA Question 1717
Question
An organization has outsourced its wide area network (WAN) to a third-party service provider. Under these circumstances, which of the following is the PRIMARY task the IS auditor should perform during an audit of business continuity (BCP) and disaster recovery planning (DRP)?
A. Review whether the service provider’s BCP process is aligned with the organization’s BCP and contractual obligations.
B. Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster.
C. Review the methodology adopted by the organization in choosing the service provider.
D. Review the accreditation of the third-party service provider’s staff.
Answer
A. Review whether the service provider’s BCP process is aligned with the organization’s BCP and contractual obligations.
Explanation
Reviewing whether the service provider’s business continuity plan (BCP) process is aligned with the organization’s BCP and contractual obligations is the correct answer since an adverse effect or disruption to the business of the service provider has a direct bearing on the organization and its customers. Reviewing whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster is not the correct answer since the presence of penalty clauses, although an essential element of a SLA, is not a primary concern.
Choices C and D are possible concerns, but of lesser importance.
CISA Question 1718
Question
The activation of an enterprise’s business continuity plan should be based on predetermined criteria that address the:
A. duration of the outage.
B. type of outage.
C. probability of the outage.
D. cause of the outage.
Answer
A. duration of the outage.
Explanation
The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives.
CISA Question 1719
Question
While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infra structural damage. The BEST recommendation the IS auditor can provide to the organization is to ensure:
A. the salvage team is trained to use the notification system.
B. the notification system provides for the recovery of the backup.
C. redundancies are built into the notification system.
D. the notification systems are stored in a vault.
Answer
C. redundancies are built into the notification system.
Explanation
If the notification system has been severely impacted by the damage, redundancy would be the best control. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. The recovery of the backups has no bearing on the notification system and storing the notification system in a vault would be of little value if the building is damaged.
CISA Question 1720
Question
Integrating business continuity planning (BCP) into an IT project aids in:
A. the retrofitting of the business continuity requirements.
B. the development of a more comprehensive set of requirements.
C. the development of a transaction flowchart.
D. ensuring the application meets the user’s needs.
Answer
B. the development of a more comprehensive set of requirements.
Explanation
Integrating business continuity planning (BCP) into the development process ensures complete coverage of the requirements through each phase of the project.
Retrofitting of the business continuity plan’s requirements occurs when BCP is not integrating into the development methodology. Transaction flowcharts aid in analyzing an application’s controls. A business continuity plan will not directly address the detailed processing needs of the users.